b" AUDIT OF SECURITY AND CONTROLS\nOVER THE NATIONAL DRIVER REGISTER\n\n   National Highway Traffic Safety Administration\n\n           Report Number: FI\xe2\x80\x932008\xe2\x80\x93003\n           Date Issued: October 29, 2007\n\x0c           U.S. Department of\n                                                                    Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: Audit of Security and Controls Over                                        Date:    October 29, 2007\n           the National Driver Register, NHTSA\n           Report Number: FI\xe2\x80\x932008\xe2\x80\x93003\n\n  From:    Rebecca C. Leng                                                                 Reply to\n                                                                                           Attn. of:   JA\xe2\x80\x9320\n           Assistant Inspector General for Financial and\n            Information Technology Audits\n    To:    National Highway Traffic Safety Administrator\n\n\n           This report presents the results of our audit of the National Driver Register (NDR)\n           Information System administered by the National Highway Traffic Safety\n           Administration (NHTSA) in the Department of Transportation (DOT).1 This\n           central register allows state department of motor vehicles (DMV) officials to\n           exchange information on problem drivers identified in each state, such as those\n           convicted of driving under the influence of alcohol.2\n\n           Annually, Congress appropriates about $4 million to support NDR operations.\n           Part of this funding is used to cover the cost associated with housing the\n           mainframe NDR database at a contractor site. State DMVs remotely access NDR\n           through a network managed by the American Association of Motor Vehicle\n           Administrators (AAMVA).3 Through the AAMVA network, state DMVs can\n           electronically exchange information with NDR and other states.\n\n           State DMV officials report problem drivers to NDR using personally identifiable\n           information, such as Social Security number and the driver\xe2\x80\x99s name, date of birth,\n           gender, height, weight, and eye color. When state officials process a driver\xe2\x80\x99s\n           license application, they are required to check the NDR database to determine if\n           the applicant has been identified as a problem driver in another state. If a match is\n\n           1\n               Congress passed the Federal Highway Safety Act of 1960 (P.L. 86-660) to establish NDR, and the National Driver\n               Register Act of 1982 (P.L. 97-364) to convert NDR to an electronic system. The National Driver Register Act also\n               transferred the NDR responsibility from the Department of Commerce to DOT.\n           2\n               A problem driver is defined as being an individual whose motor vehicle operator\xe2\x80\x99s license has been denied, canceled,\n               revoked, or suspended for motor vehicle-related traffic offenses.\n           3\n               The same AAMVA network is also used to support the Commercial Driver\xe2\x80\x99s License Information System (CDLIS),\n               overseen by DOT\xe2\x80\x99s Federal Motor Carrier Safety Administration.\n\x0c                                                                                                               2\n\n\nfound in NDR, state officials are directed to another state DMV system for details\non the traffic conviction. In 2006, more than 70 million inquiries were made for\ndrivers\xe2\x80\x99 license applicants, 9 million of which were found to be problem drivers in\nNDR.4\n\nThe requirement to check applicants against NDR was intended to prevent\nproblem drivers from \xe2\x80\x9clicense shopping\xe2\x80\x9d\xe2\x80\x94going to a different state to get a new\ndriver\xe2\x80\x99s license when their current licenses are suspended or revoked. Keeping\nproblem drivers off the road is critical to the Department\xe2\x80\x99s goal of reducing\nhighway fatalities and injuries. For example, of the 43,000 deaths annually on\nU.S. roads, 17,000 are caused by alcohol-related incidents.\n\nOther users of NDR data include Government agencies and private companies.\nFor example, the Federal Aviation Administration, Federal Railroad\nAdministration, and U.S. Coast Guard use NDR information to determine whether\nindividuals are fit to occupy safety-sensitive positions, such as flying passenger\naircraft or operating passenger trains or ships. Private companies in the\ntransportation industry, such as those operating commercial motor vehicles\ncarrying hazardous material, also request information from NDR on job\napplicants. In 2006, about 800,000 inquires were made by Government agencies\nand private companies.\n\nOur objectives were to determine whether (1) drivers\xe2\x80\x99 personally identifiable\ninformation was properly secured from unauthorized access or unapproved use,\n(2) problem drivers were recorded in NDR in a timely manner, and (3) an\nadequate contingency plan existed to ensure continued services to state DMVs in\nthe event of a disaster. This performance audit was conducted in accordance with\nGenerally Accepted Government Auditing Standards prescribed by the\nComptroller General of the United States and included such tests as we considered\nnecessary to detect fraud, waste, or abuse. Details of our scope and methodology\nare in Exhibit A.\n\nRESULTS IN BRIEF\nDrivers\xe2\x80\x99 personally identifiable information was properly secured in the NDR\nmainframe database; however, when transmitted or stored outside the mainframe\ncomputer, it was exposed to potential unauthorized access or unapproved use. For\nexample, sensitive information is not encrypted when transmitted between states\nand NDR on the AAMVA network. In addition, problem drivers were not\nrecorded in NDR in a timely manner\xe2\x80\x93\xe2\x80\x93millions were not recorded until at least\n1 year after conviction\xe2\x80\x94and incomplete or inaccurate information on Social\n\n4\n    There are more than 200 million licensed drivers in the United States, with 42 million problem drivers\xe2\x80\x99 records in\n    NDR.\n\x0c                                                                                3\n\n\nSecurity numbers and drivers\xe2\x80\x99 physical attributes such as height, weight, and eye\ncolor were found in NDR. Finally, the NDR contingency plan testing was too\nlimited to ensure adequate service to state DMVs in case of an emergency.\n\nThese issues are summarized below and detailed in the finding section, beginning\non page 6.\n\nPersonally identifiable information was exposed to potential unauthorized\naccess or unapproved use. We found security weaknesses in network\ntransmission of sensitive information, background checks on personnel given\naccess to NDR, and record storage and mission-critical computers in the NHTSA\noffice.\n\nNetwork Transmission. Forty-two (42) million records were properly secured in\nthe NDR mainframe database. However, they were not encrypted when\ntransmitted between state DMVs and NDR. Thus, they were subject to potential\nunauthorized access during network transmission. Federal minimum security\nstandards require the use of sophisticated encryption protection when transmitting\nsensitive information such as NDR records, but NHTSA does not control network\ntransmissions between state DMVs and NDR. Instead, AAMVA is responsible for\nmanaging the network. In response to our concerns regarding the transmission of\nsensitive information over the network, NHTSA is developing an agreement with\nAAMVA to secure the sensitive data it transmits on the network.\n\nBackground Checks on Key Personnel. DOT policies require that Federal\nemployees and contractor personnel receive the proper level of background checks\nbefore being given access to sensitive DOT systems and information. We found\nserious gaps in this control area. First, NHTSA employees responsible for\nmaintaining NDR system software did not receive the higher level background\nchecks comparable to their sensitive work. Second, AAMVA personnel working\non the NDR Help Desk did not receive any background checks. Finally, NHTSA\ndoes not know whether contractor employees who control NDR mainframe data\nprocessing received proper background checks as specified in the contract.\nNHTSA needs to take immediate action to correct this weakness.\n\nRecord Storage and Mission-Critical Computers Used in the NHTSA Office. File\ncabinets used to store NDR-related records were unlocked, unattended, and\nexposed to unauthorized access. Computers that NHTSA staff used to access the\nNDR database were connected to the DOT shared network without protection. As\na result, other computers on the shared network, if not properly secured, could\nbecome an entry point to gain unauthorized access to these mission-critical\ncomputers and, in turn, pose a threat to the confidentiality, integrity and\navailability of NDR data. NHTSA has agreed to enhance security protection in its\noffice.\n\x0c                                                                                                                       4\n\n\nProblem drivers were not recorded in NDR in a timely manner. Deficiencies\nwere also found in the removal of records from NDR, recording of Social Security\nnumbers and drivers\xe2\x80\x99 physical attributes, and the planned NDR modernization\neffort. Specifically,\n\nTimeliness of Recording Problem Driver Records. Based on our sample test, we\nestimate that state DMVs did not record 6 million problem driver records in NDR\nuntil at least 1 year after conviction. This delayed reporting could significantly\nimpair other states\xe2\x80\x99 ability to keep problem drivers from getting a driver\xe2\x80\x99s license.\nWe could not determine the timeliness of 35 percent of the sampled records due to\na system design deficiency that allowed states to override the recorded entry dates\nin NDR. NHTSA needs to correct this system deficiency and work with state\nofficials to improve the timeliness of recording problem drivers in NDR.\n\nRemoving Problem Drivers\xe2\x80\x99 Records From NDR. When traffic convictions\nexpire, the problem driver\xe2\x80\x99s records are removed from NDR through interfaces\nwith state DMV systems. However, NHTSA staff can also remove records from\nNDR manually. During 2006, NHTSA manually deleted about 1,000 records\nbased on state officials\xe2\x80\x99 requests. We sampled 157 requests and found 11 problem\ndriver records that were wrongfully removed from NDR while these drivers\xe2\x80\x99\nconvictions had not expired in state DMV systems. In response to our finding,\nstate officials restored these records in NDR. Although the number of records\nimproperly deleted is relatively small, it could have a significant impact on public\nsafety because problem drivers could obtain valid licenses or apply for safety-\nsensitive positions when their records were removed from NDR. NHTSA must\nstrengthen controls over manual removal of records from NDR.5\n\nRecording Personally Identifiable Information in NDR. When searching NDR to\ndetermine whether driver\xe2\x80\x99s license applicants have been identified as problem\ndrivers, state officials enter the drivers\xe2\x80\x99 names and dates of birth. This can result\nin multiple matches in the NDR database, thus requiring further identification.\nTo identify the driver, state officials have to use other information recorded in\nNDR, such as height, weight, eye color, or the applicant\xe2\x80\x99s Social Security number\nor driver\xe2\x80\x99s license number.6 We found, however, that close to 18 million NDR\nrecords did not have complete information on height, weight, and eye color. We\nalso found over 161,000 duplicate Social Security numbers, each one used by\nmore than one driver within the same state (see details in Exhibit B). We referred\n\n5\n    We verified that these 11 individuals did not get new personal driver\xe2\x80\x99s licenses from their NDR state of record or\n    commercial driver\xe2\x80\x99s licenses from any state during the period when their records were removed from NDR.\n    However, we could not determine whether any prospective employers had inquired about these individuals during\n    this period.\n6\n    More than half of the records in NDR contain Social Security numbers. Providing Social Security numbers is not\n    required for driver\xe2\x80\x99s license applications under the current legislation, but will become mandatory under the Real ID\n    Act, effective in May 2008.\n\x0c                                                                                 5\n\n\ninformation regarding these duplicate Social Security numbers to the Social\nSecurity Administration. The lack of complete and accurate information on\ndrivers\xe2\x80\x99 Social Security numbers and/or physical attributes made it more difficult\nfor states\xe2\x80\x99 officials to identify problem drivers. NHTSA needs to strengthen\nsystem edit checks on the information submitted by state officials.\n\nPlanning NDR Modernization. The NDR system design has stayed intact since its\ninitial installation in the early 1980s. In 2006, NHTSA began to modernize NDR\nby converting flat files to a relational database and replacing programs with a\nmodern-day programming language. Although this is definitely a step in the right\ndirection, the planned modernization effort was too limited. For example, NHTSA\ndid not evaluate the need to include encryption or enhanced data query capabilities\nin the planned upgrade, even though technologies for securing and processing\ninformation requests have changed significantly since the early 1980s. NHTSA\nshould work with state DMVs to identify upgrade needs for modernization\nevaluation.\n\nNDR contingency plan testing was too limited to ensure adequate service to\nstate DMVs in case of emergency. Contingency planning is critical to\ndetermining whether an organization can continue to perform its mission in the\nevent of disaster. To its credit, in cooperation with AAMVA and state DMVs,\nNHTSA has conducted quarterly testing of the NDR contingency plan. The\ntesting included recovering NDR system operations at an alternate site and testing\nthe network connection between the recovery site and AAMVAnet. However,\nNHTSA has not tested whether the recovery system could process a similar\namount of transactions as the primary system without slowing down state DMV\noperations. In addition, NDR\xe2\x80\x99s backup tapes were stored only 15 miles away from\nthe primary processing site. In the event of a regional disaster, NHTSA could lose\nboth the data processing center and its off-site storage location, thereby\ncompromising NDR\xe2\x80\x99s operations. NHTSA should conduct capacity testing on the\nrecovery system and select a more distant site at which to store NDR backup\ntapes.\n\nWe are making a series of recommendations to help NHTSA strengthen protection\nof sensitive NDR data and improve the efficiency of the NDR system. A complete\nlist of our recommendations begins on page 15 of this report. In summary, we are\nrecommending that NHTSA:\n\n\xe2\x80\xa2 Establish an interconnection agreement and memorandum of understanding\n  with AAMVA that specifies the responsibilities of both organizations for the\n  protection of NDR; encrypt data transmissions between NHTSA, the states,\n  and NDR contractor sites; enhance background checks on personnel with\n  access to NDR; and better protect NHTSA facilities used to manage NDR\n  operations.\n\x0c                                                                               6\n\n\n\xe2\x80\xa2 Work with states to ensure that data on problem drivers are entered into NDR\n  in a timely manner and with accurate personal information about the drivers,\n  strengthen controls over manual removal of problem driver records from NDR,\n  and evaluate other upgrade needs for the modernization effort.\n\n\xe2\x80\xa2 Test the transaction processing capacity of the recovery system and store back-\n  up tapes at a more remote site.\n\nWe provided a draft of this report to NHTSA for comment on September 5, 2007,\nand on October 10th we received the Agency\xe2\x80\x99s response. NHTSA concurred or\nconcurred in part with our recommendations and stated that many of the corrective\nactions needed are already in the process of being, or have already been,\ncompleted. The response further stated that comprehensive corrective action plans\nhave already been developed for the remaining items. NHTSA\xe2\x80\x99s response can be\nfound in its entirety in the Appendix.\n\n\nFINDINGS\n\nPersonally Identifiable Information Was Exposed to Potential\nUnauthorized Access or Unapproved Use\n\nSensitive Information Not Encrypted During Network Transmission\nThe NDR system resides on a mainframe computer located at a contractor\xe2\x80\x99s site,\nwhere 42 million driver records were properly secured. However, sensitive NDR\ndata are not properly secured when transmitted to state DMVs via a network\nmanaged by AAMVA or to NHTSA on a dedicated line (see figure 1).\n\x0c                                                                                                              7\n\n\n    Figure 1. Overview of NDR System Network Connections\n                                                          NDR System Connections\n\n\n                                                                     INTERNET\n\n\n\n\n                                                                                              FAA*\n                                                  AAMVA\n\n\n\n                                                              CONTRACTOR\n                                                                                      DOT\n                                                                                                      FRA**\n\n                                     AAMVA -NET\n         States                                                   National\n                                                                   Driver\n                                                                  Register                  Other\n                                                                                            OAs ***\n\n\n                                                                                   NHTSA\n         * Federal Aviation Administration.\n        ** Federal Railroad Administration.\n       *** Operating Administrations.\n\n\n      Source: DOT OIG analysis of NDR network\n\nIn accordance with the Federal Information Security Management Act of 2002\n(FISMA) and the National Institute of Standards and Technology (NIST)\nPublication 800-53, \xe2\x80\x9cRecommended Security Controls for Federal Information\nSystems,\xe2\x80\x9d systems that contain personally identifiable information should have\ntheir data encrypted when transmitted. Further, the Privacy Act of 1974 requires\nthat personally identifiable information collected by the Federal Government be\nadequately secured to protect an individual\xe2\x80\x99s privacy from unauthorized access.\n\nDOT Order H 10-202, \xe2\x80\x9cDepartmental Guide to Network Security,\xe2\x80\x9d requires that\ndifferent organizations connecting to a DOT system develop an interconnection\nsecurity agreement (ISA) and a memorandum of understanding (MOU). The ISA\nshould document the requirements for connecting the systems and describe the\nsecurity controls that will be used to protect the systems and data, along with\ndrawings of the interconnections. The MOU should define the purpose of the\ninterconnection, identify authorities, and specify the responsibilities of both\norganizations.\n\nThe states have contracted with AAMVA to provide network services to transmit\nand receive data to and from the NDR database. These network transmissions\nwere not encrypted and personally identifiable information was transmitted in\nclear text. If intercepted during transmission, drivers\xe2\x80\x99 personally identifiable\ninformation could potentially be subjected to unauthorized access and unapproved\nuse. This occurred because NHTSA did not follow departmental guidance to have\nan ISA and MOU with AAMVA to address security of the network connected to\nNDR. NHTSA should work with AAMVA to ensure that all NDR data being\n\x0c                                                                               8\n\n\ntransmitted at the state level are encrypted and establish an ISA and MOU with\nAAMVA to ensure the security of NDR data.\n\nNHTSA also uses a dedicated line to access the NDR mainframe database;\nhowever, the data transmitted were not encrypted. NHTSA should provide data\nencryption for the information traversing this line.\n\n\nBackground Checks on Key Personnel Not Adequate\nDOT Order 1630.2b, \xe2\x80\x9cDepartment of Transportation Personnel Security Manual,\xe2\x80\x9d\nrequires that DOT employees receive different levels of background checks in\naccordance with the positions they occupy. For example, employees occupying\nhigh-risk positions, especially those with significant impact on mission-critical\nsystems, are required to receive a higher level background check (called\nBackground Investigation). For moderate-risk positions, a lower level background\ncheck (called National Agency Check and Inquiry) is required. DOT policy also\nrequires that contractor employees receive the same types of background checks as\nDOT employees who perform comparable duties.\n\nWe identified inadequate background checks for both NHTSA employees and\ncontractor personnel.\n\n\xe2\x80\xa2 Background Checks of NHTSA Employees. Of the 14 people responsible for\n  monitoring and maintaining NDR system operations, 10 are NHTSA\n  employees and 4 are contractors, all except 2 NHTSA employees received\n  proper background checks. These two employees had the ability to make\n  changes to NDR software, such as the criteria used to identify problem drivers,\n  but they received only lower level background checks because NHTSA\n  improperly assessed their positions as having a moderate risk. According to\n  DOT policies, positions with a significant impact on mission-critical systems\n  should be rated as having a high risk unless the work is subject to review by\n  another position that has received the higher level background check. The two\n  NHTSA employees\xe2\x80\x99 work was not subject to such a review.\n\n\xe2\x80\xa2 Background Checks of Help Desk Personnel. Eight AAMVA personnel were\n  responsible for operating the NDR Help Desk on behalf of NHTSA. However,\n  none of the individuals received any background checks before potentially\n  handling personally identifiable information as part of their duties. This\n  happened because the cooperative agreement between NHTSA and AAMVA\n  did not require background checks.\n\x0c                                                                                9\n\n\n\xe2\x80\xa2 Background Checks of NDR Contractor Personnel. The NDR mainframe\n  database is housed at a contractor site. In the NDR contract, NHTSA required\n  the contractor to order background checks on personnel given access to NDR\n  in accordance with DOT policy. However, NHTSA did not request that the\n  contractor identify the individuals given access to NDR data or programs, nor\n  did it specify the types of background checks required. During our visit at the\n  contractor\xe2\x80\x99s site, we identified several contractor personnel with access to\n  NDR and requested evidence of their completed background checks. Although\n  the contractor complied with our request, we could not determine whether the\n  background checks were adequate to meet DOT policy requirements because\n  the contractor was unwilling to provide details on the type or level of\n  background checks completed. As a result, there was no assurance that proper\n  background checks had been performed on contractor personnel, who control\n  NDR system operations, in accordance with NHTSA contract requirements.\n\nWithout proper levels of background checks, NHTSA could be missing critical\ninformation on personnel placed in key positions to ensure the integrity and\nsecurity of computer operations. While background checks do not guarantee a\nperson\xe2\x80\x99s loyalty or trustworthiness, they do provide valuable information with\nwhich to help management determine whether an employee should be given\naccess to DOT systems. To mitigate the situation, NHTSA should reevaluate the\nposition risk and associated background check requirement for the two NHTSA\nemployees and modify the cooperative agreement with AAMVA to require\nAAMVA personnel providing Help Desk services to have the appropriate type of\nbackground check. In addition, it should require that the NDR data processing\ncontractor identify individuals given access to NDR to ensure that they receive\nproper background checks in compliance with DOT policy.\n\nSensitive Records and Computers Used to Access NDR Not Properly\nSecured\nAccording to NIST 800-53, only authorized users should have access to Agency\ninformation in printed or digital form. Additionally, the organization (NHTSA)\nshould physically control and securely store information media, both physical and\ndigital, based on the security category of information stored on the media.\n\nAt the NHTSA Headquarters NDR office, file cabinets containing personally\nidentifiable information were unlocked\xe2\x80\x94with the key in the lock during business\nhours. This security weakness could allow unauthorized personnel to view and\nobtain an individual\xe2\x80\x99s personally identifiable information without being noticed.\nAccording to NDR management, at least one of its personnel was physically\nlocated in the office at all times, making it unnecessary to secure doors and file\ncabinets during working hours. However, during two separate visits to the NDR\n\x0c                                                                                                            10\n\n\noffice, we found it unattended. NHTSA has agreed to enhance security protection\nin its office by keeping its NDR file cabinets locked.\n\nFinally, we evaluated the security protection of 15 computers that NHTSA\npersonnel use to access the NDR mainframe database. These computers reside on\nthe network shared by thousands of DOT personnel. We found vulnerabilities in\nthis shared network and there was no additional security protection, such as a\nfirewall, to protect these 15 computers. Consequently, other systems/computers\non the shared network could become an entry point for gaining unauthorized\naccess to these mission-critical computers and, in turn, the NDR mainframe\ndatabase. NHTSA should better protect the computers used to access the NDR\nmainframe database.\n\nProblem-Driver Records Were Not Entered into NDR in a Timely\nManner, Were Improperly Deleted from NDR, and Contained\nIncomplete and/or Inaccurate Personal Information\n\nProblem-Driver Records Not Entered Into NDR in a Timely Manner\nAccording to NDR, Title 49, after becoming an NDR participating state, the chief\ndriver\xe2\x80\x99s licensing official of that state is responsible for submitting an individual\xe2\x80\x99s\nprofile for entry into the NDR database no more than 31 days after the state DMV\nreceives the driver\xe2\x80\x99s record of conviction. However, state DMVs maintain the\ndriver\xe2\x80\x99s conviction date, not the date the DMV received the conviction record.\nAccording to state officials we interviewed, DMVs normally receive a driver\xe2\x80\x99s\nrecord about 30 days after a driver\xe2\x80\x99s conviction. Thus, we used the driver\xe2\x80\x99s\nconviction date plus 60 days to test the timeliness of the records entered into NDR\nfrom state DMVs.\n\nWe obtained a copy of the NDR database as of November 2005 and from that\ndatabase selected a statistically valid sample of 273 records of the nine states\nvisited. As shown in Table 1, only 100 NDR records from our sample were\ncreated within 60 days of the conviction date. In other cases, it took months or\nyears before an NDR record was created for a driving violation. Based on the\nsample results, we project that records for about 6 million problem drivers were\nnot entered into NDR until at least 1 year after conviction.7 In addition, the\ntimeliness of 95 sample records could not be determined because the original date\nof record entry was not retained in NDR\xe2\x80\x93\xe2\x80\x93a system design deficiency.\n\n\n\n7\n    We estimate with a 90 percent confidence level that the percentage of records recorded at least 1 year after\n    conviction is 14 percent, or about 6 million of the 42 million overall records, with a margin of error of\n    +/- 8 percentage points.\n\x0c                                                                                 11\n\n\n      Table 1. Timeliness Analysis of State-Sampled Records\n                        Entered into NDR\n                      Number                                   Timeliness\n                                  0-60      61-365    > 365\n             State      of                                     Cannot Be\n                                  Days       Days     Days\n                      Records                                  Determined\n              1         63          48         3        1           11\n              2           5          3         2        0           0\n              3          46         22         6       13           5\n              4          22          5         8        0           9\n              5          23          5         2        8           8\n              6          35          7        11        4          13\n              7          39          6         3       13          17\n              8          32          4         3        1          24\n              9           8          0         0        0           8\n             Total      273        100        38       40          95\n                                    36%       14%     15%          35%\n\n\nAccording to state officials we interviewed, they did not enter records of problem\ndrivers into NDR in a timely manner partially because they were not aware of the\nNDR legislative requirement to send driver profile records to NDR within 31 days\nof the day state DMVs received them. In addition, an NDR system design\ndeficiency caused the date of driver records\xe2\x80\x99 original entry to be replaced by the\ndate that a system update occurred.\n\nThe impact of the delay in creating an NDR driver\xe2\x80\x99s record increases the potential\nthat problem drivers will seek a valid license in another state before NDR is\nupdated. To ensure the timeliness of its data, NHTSA needs to make certain that\nstates are aware of NDR requirements for submitting the profile of convicted\noffenders to NDR within 31 days. Further, NDR needs to correct the system\ndeficiency that overwrites the original record entry date so that the original dates\nof entry are retained.\n\nRecords of Problem Drivers Improperly Removed From NDR\nProblem-driver records are deleted from NDR through system interfaces with state\nDMV systems when convictions expire. In addition, NHTSA personnel can\nmanually delete records from NDR. NHTSA performed about 1,000 of these\nmanual deletions in 2006 based on requests it received from the states. These\nmanual deletions are done to assist the states in immediately clearing a record\nwhen a driver\xe2\x80\x99s license applicant has just corrected his/her status, thereby\nbecoming eligible for a license. NHTSA requires state DMV officials to submit\nwritten requests for manual driver record deletions from NDR.\n\x0c                                                                                                                  12\n\n\nWe selected two periods for review\xe2\x80\x94January/February 2006 and June/July 2006.\nNHTSA personnel manually deleted 124 records and 33 records, respectively,\nduring these two periods. We reviewed the written requests sent to NHTSA and\nfound that state officials did not list justifications for the requests but used pre-\nauthorized forms to ask NHTSA to remove records from NDR. We contacted the\nstates and found that 11 of the 157 records we reviewed were wrongfully removed\nwhile their convictions had not expired in state DMV systems. In response to our\nfinding, the states placed the 11 incorrectly deleted records back into NDR. We\nverified that none of the drivers in question received new licenses during the\nperiod that their records were incorrectly removed from NDR.\n\nThis situation existed because NHTSA did not adequately verify information on\nthe states\xe2\x80\x99 request forms with designated state officials before deleting records\nfrom NDR. Additionally, they did not require state officials to provide written\njustification when requesting removal of a record. According to NHTSA officials,\nthey normally verify requests with a follow-up telephone call to state officials\nbefore the record is deleted from NDR. However, they may not have done so for\nthe 11 records that were incorrectly removed from NDR.\n\nFinally, there was a lack of accountability\xe2\x80\x94state officials could not identify the\nindividuals who actually requested the removal of the 11 records in question. Two\nstates, which were responsible for 9 of 11 incorrectly removed records, used pre-\napproved forms to request deletion of records of problem drivers from NDR.\nThus, any DMV employee in these two states could ask NHTSA to remove a\ndriver\xe2\x80\x99s record from NDR by using pre-approved request forms. To remediate this\nweakness, NHTSA should strengthen controls over the manual deletion process.\n\nIncomplete or Inaccurate Personally Identifiable Information Impeding\nIdentification of Problem Drivers\nThe National Driver Register, Title 49, requires that states send to NDR an\nindividual\xe2\x80\x99s legal name, date of birth, sex, and Social Security number if states use\nit for driver\xe2\x80\x99s record or motor vehicle licensing purposes. Additionally, it requires\nthe name of the state providing the information. The law also states that at the\ndiscretion of the Secretary of Transportation, a driver\xe2\x80\x99s physical attributes (height,\nweight, eye color) can be required as part of the NDR record to assist state DMVs\nin identifying the correct individual.\n\nState officials search the NDR database for specific individuals based on last\nname, first initial, and date of birth.8 Given the high number of potential matches,\nstate officials must rely on other information recorded in NDR to identify drivers,\n\n8\n    The NDR name search algorithm uses both driver name and date of birth as the primary search factors and sex as the\n    secondary factor in generating potential matches.\n\x0c                                                                                                                     13\n\n\nsuch as physical attributes or Social Security numbers. However, state DMV\nofficials did not consistently or accurately record such identifiable information\nbecause the law does not require the information. For example, we found that\ndrivers\xe2\x80\x99 physical attributes were missing from about 18 million of 42 million\nrecords in the NDR database (see details in Exhibit B). This made it more difficult\nfor state officials to identify problem drivers. NHTSA should work with the states\nto determine which physical attributes are critical to identifying drivers and issue\ndirectives to mandate state submission accordingly.\n\nSocial Security numbers were included in about 26 million records (62 percent) in\nNDR. However, of that number, we found over 600,000 invalid Social Security\nnumbers, such as 111-22-3333 and 222-33-4444. We also found over 161,000\nduplicate Social Security numbers; that is, numbers that were used by more than\none driver within the same state. This happened because state DMVs did not\nbegin using the Social Security Online Verification System until recently.\nCurrently, four states still do not conduct such verification.9\n\nThe current law does not mandate that state DMVs verify a Social Security\nnumber before issuing a driver\xe2\x80\x99s license. However, the Real ID Act of 2005\nrequires that by December 2009, all Social Security numbers used to obtain\ndriver\xe2\x80\x99s licenses must be verified.10 Until corrected, these invalid and duplicate\nSocial Security numbers could result in confusion and impede states\xe2\x80\x99 ability to\nidentify problem drivers under Real ID implementation. We provided information\nregarding these duplicate Social Security numbers to NHTSA and the Social\nSecurity Administration. NHTSA should work with state DMVs to correct invalid\nor duplicate Social Security numbers and to develop policies requiring the use of\nthe online verification of Social Security numbers.\n\nModernization of NDR Too Limited\nAccording to industry research studies, aging information systems are expensive\nto maintain and most are eventually retired and replaced. These studies suggest\nthat because information systems become technically obsolete, they need to be\nconsidered for replacement every 8 to 10 years. NDR, a system that was first\ncomputerized in the early 1980s as a flat file system with COBOL programs and\nthat uses an in-house-developed search algorithm, last underwent a system\nconversion in 1995. In 2005, NHTSA began to modernize NDR by converting the\nflat files to a relational database and replacing COBOL programs with a modern-\nday programming language.\n\n9\n   Online verification of Social Security numbers enables state officials to verify matching Social Security number,\n   name, and date of birth of each driver through the Social Security Administration\xe2\x80\x99s database.\n10\n   The Real ID Act of 2005 establishes national standards for state-issued licenses and non-drivers\xe2\x80\x99 identification cards.\n   After May 11, 2008, a Federal agency may not accept, for any official purpose, a driver\xe2\x80\x99s license or identification\n   card issued by a state to any person unless the state is meeting the requirements specified in the Real ID Act.\n\x0c                                                                                   14\n\n\nAlthough this is definitely a step in the right direction, the planned modernization\nefforts were too limited. For example, NHTSA did not evaluate the need to\nupgrade NDR processing for better security protection or enhanced data integrity\neven though technologies for transmitting and processing information have\nchanged significantly since the early 1980s. NHTSA should work with state\nDMVs to identify needed upgrades for modernization.\n\nIn addition, NHTSA did not consider replacing the in-house-developed search\nalgorithm with commercial products (search engines). The search algorithm was\ndeveloped by DOT personnel in 1982 to enable state officials to search for specific\nindividuals in large flat files and may not be the best mechanism to search records\nin a relational database system. Additionally, maintaining this special search\nalgorithm will become more expensive when the current programming staff\nretires. NHTSA management should evaluate whether any commercial search\nengine products will work more effectively with the new relational database\ndesign and improve the accuracy and response time of license applicant searches.\n\nNDR Contingency Plan Not Adequately Tested to Ensure Sufficient\nService to State DMVs in Case of Emergency\nAccording to NIST Special Publication 800-34, \xe2\x80\x9cContingency Planning Guide for\nInformation Technology Systems,\xe2\x80\x9d testing is a critical element of any viable\ncontingency plan. One area requires testing system performance using alternate\nequipment, another specifies that the alternate site location should be in a\ngeographic area that is unlikely to be negatively affected by the same disaster\nevent as the organization\xe2\x80\x99s primary site.\n\nTo its credit, NHTSA\xe2\x80\x94in cooperation with AAMVA and state DMVs\xe2\x80\x94has\nconducted quarterly testing of the NDR contingency plan. The exercise included\nrecovering NDR system operations at an alternate site and testing the network\nconnection between the recovery site and AAMVAnet. However, NHTSA has not\ntested whether the recovery system could process a similar number of transactions\nas the primary system without slowing down state DMV operations. NHTSA\nrequired only that the new telecommunications connection between AAMVAnet\nand the alternate NDR site be tested with a limited number of transactions.\nNHTSA assumed that the new telecommunications connection would provide the\nsame level of transmission speed as the regular connection.\n\nStates have not fully participated in testing the transaction capacity of the recovery\nsystem using the new telecommunications line between AAMVA and the alternate\ndata center. Testing would determine whether the states can use the recovery\nsystem to verify problem drivers in a timely manner and whether the new\nconnection would result in slower processing capacity at the alternate NDR data\n\x0c                                                                                 15\n\n\nprocessing site. Either of these weaknesses could slow states\xe2\x80\x99 processes for\nissuing or renewing driver\xe2\x80\x99s licenses. To remediate these weaknesses, NHTSA\nshould require states\xe2\x80\x99 full participation in testing the transaction processing\ncapacity of the recovery system.\n\nIn addition, the off-site storage facility containing all NDR backup tapes is\napproximately 15 miles from and within the same geographic region as the\nprimary data processing center. NIST guidelines recommend storage of backup\nmedia outside the same geographic region as the primary data center. Because of\ntheir close proximity, both facilities could be vulnerable to loss in the event of a\nregional disaster. According to NHTSA, these facilities were established in such\nclose proximity by the contractor and were outside NHTSA\xe2\x80\x99s purview.\n\nLoss of NDR\xe2\x80\x99s primary processing center and backup facility could seriously\ndamage DOT\xe2\x80\x99s ability to continue operation of NDR. NHTSA management rated\nthe system as high in its need to be available to state DMV users, because state\nDMVs rely on NDR to keep bad drivers from receiving licenses. Consequently,\nNHTSA needs to ensure that a copy of the weekly backup data files from the NDR\ndata center is stored in a geographic region more distant than the off-site location\nit currently uses.\n\n\n\nRECOMMENDATIONS\nWe recommend that the NHTSA Administrator direct the Senior Associate\nAdministrator for Policy and Operations to:\n\nEnhance security protection of NDR data by:\n\n   1. Establishing an interconnection security agreement and memorandum of\n      understanding with AAMVA to document security requirements, identify\n      authorities, and specify responsibilities of both organizations, such as the\n      encryption of the data and the security assurance required to meet\n      Government minimum security standards.\n\n   2. Installing encryption on the dedicated line between NHTSA and the NDR\n      contractor site.\n\n   3. Requiring NDR officials to (a) re-evaluate the position risk and associated\n      background check requirement for the two NHTSA employees with the\n      ability to change NDR software, (b) modify the cooperative agreement to\n      require AAMVA personnel providing Help Desk services to have the\n      appropriate type of background check, and (c) ensure that NDR mainframe\n\x0c                                                                                 16\n\n\n      data center employees\xe2\x80\x99 background checks are sufficient to meet DOT\n      policy requirements, as specified in the contract.\n\n   4. Requiring that facilities used to store NDR records are properly secured at\n      all times.\n\n   5. Better protecting the NHTSA computers used to access NDR mainframe\n      database, such as installing firewall security to separate these mission-\n      critical computers from other computers on the network.\n\nEnhance data timeliness and accuracy by:\n\n   6. Working with states to (a) establish a mechanism to ensure that DMVs\n      enter problem driver data into NDR within 31 days of receipt of conviction,\n      as required by Title 49 and (b) modify the NDR database to ensure that the\n      original date that the record of a problem driver was entered into the system\n      is retained.\n\n   7. Requiring NDR officials to (a) develop a standard process for states to use\n      when requesting the manual removal of problem driver records from NDR,\n      including the driver\xe2\x80\x99s legal name, reason for the deletion, and name of the\n      authorized state representative making the request and (b) require the NDR\n      office to verify the state\xe2\x80\x99s request before removal of the problem driver\n      record.\n\n   8. Requiring NDR officials to (a) work with state DMV officials to determine\n      which physical attributes should be made mandatory for NDR reporting,\n      provide the guidelines to the states in a directive, and establish edit checks\n      in NDR to verify that required data fields are complete before accepting a\n      record into the system and (b) require that state DMVs correct the invalid\n      and duplicate Social Security numbers stored in NDR\xe2\x80\x94a Federal system\xe2\x80\x94\n      and to use the online verification of Social Security numbers.\n\n   9. Requiring NDR officials to (a) work with the state DMVs to determine\n      what functional upgrades should be included in the NDR modernization\n      plan and (b) evaluate whether any commercially available search engine\n      will work more effectively with the relational database design and improve\n      the accuracy and response time of driver applicant searches.\n\nEnhance NDR\xe2\x80\x99s contingency planning capability by:\n\n 10. Coordinating with state DMVs to test the transaction processing capacity of\n     the recovery system at the contractor\xe2\x80\x99s alternate data center.\n\x0c                                                                               17\n\n\n\n  11. Requiring that a copy of the weekly backup data files from the NDR data\n      center be stored in a more remote site than the one currently used.\n\n\nAGENCY COMMENTS AND OFFICE OF INSPECTOR GENERAL\nRESPONSE\nA draft of this report was provided to NHTSA on September 5, 2007. On\nOctober 10th we received the Agency\xe2\x80\x99s response, which can be found in its entirety\nin the Appendix.       NHTSA concurred or concurred in part with our\nrecommendations, stating that many items are already in the process of being, or\nhave already been, completed. The response further stated that comprehensive\ncorrective action plans have already been developed for the completion of the\nremaining items.\n\nIn general, the corrective actions that NHTSA management has taken and plans to\ntake adequately address the intent of our recommendations except for\nrecommendations 8(a), 8(b), and 10. NHTSA management\xe2\x80\x99s responses to our\nrecommendations are summarized as follows:\n\nRecommendation 1: NHTSA concurred. NHTSA is in the process of finalizing\nan interconnection security agreement that will include encryption of NDR data\ntransmitted on the AAMVAnet, and a memorandum of understanding. The\nplanned completion date for this item is December 2007.\n\nRecommendation 2: NHTSA concurred. NDR staff and NHTSA Chief\nInformation Officer (CIO) will work with the Department\xe2\x80\x99s Office of the CIO\n(OCIO) to establish encryption on the line between NHTSA and the contractor site\nwhere the NDR mainframe is housed. The planned completion date for this item\nis June 2008.\n\nRecommendation 3 (a): NHTSA concurred. NHTSA will upgrade the position\nof risk designation of the employees and conduct appropriate back ground\ninvestigations. The planned completion date for this item is September 2008.\n\nRecommendation 3 (b): NHTSA concurred. A new cooperative agreement with\nAAMVA will be in place in 2008 and will include a requirement for AAMVA\nHelp Desk personnel to have appropriate background investigations according to\ntheir level of access to NDR. The planned completion date for this item is June\n2008.\n\nRecommendation 3 (c): NHTSA concurred. As part of the required annual\nreview of security controls, NHTSA will validate the background investigations\n\x0c                                                                                     18\n\n\nfor all employees with access to NDR. The planned completion date for this item\nis October 2007.\n\nRecommendation 4:          NHTSA concurred.        The action required by this\nrecommendation has been completed as of June 2007. All NDR records are\ncurrently being stored in a secure room in locked cabinets.\n\nRecommendation 5: NHTSA concurred. The NHTSA CIO will coordinate with\nthe Department\xe2\x80\x99s OCIO to obtain desktop/laptop firewall capabilities to protect the\nNHTSA computers used to access the NDR mainframe database. The capabilities\nwill be tested and approved for operation in the DOT\xe2\x80\x99s Common Operating\nEnvironment. The planned completion date for this item is March 2008.\n\nRecommendation 6(a): NHTSA concurred. NDR will coordinate with the state\nDMV\xe2\x80\x99s to re-emphasize the 31-day reporting requirement for revoked and\nsuspended driver\xe2\x80\x99s licenses. NHTSA will post notices on the AAMVA bulletin\nboard and advise DMV personnel of the requirement, as part of its continuing\noutreach initiative. The planned start date for this item is November 2007.\n\nRecommendation 6(b): NHTSA concurred. As part of the NDR modernization\neffort, a field that will store the date that a pointer is first entered into the NDR is\nbeing created. The planned completion date for this item is FY 2009.\n\nRecommendation 7(a): NHTSA concurred. A standard process used by states to\nrequest the manual removal of problem driver records from NDR has been\nimplemented as of April 2007.\n\nRecommendation 7(b): NHTSA concurred. NHTSA has been requiring the\nNDR office to verify a state\xe2\x80\x99s request before the manual removal of a problem\ndriver record from the system since April 2007.\n\nRecommendation 8(a): NHTSA concurred in part. NHTSA will consult with\nstate DMVs to determine which physical attributes should be made mandatory for\nNDR reporting between November 2007 and the summer of 2008. After that,\nNHTSA will determine whether it should revise the reporting requirements for\nstates\xe2\x80\x99 reporting to NDR. However, NHTSA does not believe that the failure to\ninclude physical attributes should be a basis for refusing a record into the NDR if\nother appropriate identifying information is provided.\n\nNHTSA\xe2\x80\x99s proposed corrective action includes a consultation with the states to\ndetermine which physical attributes should be made mandatory for NDR\nreporting. However, the response goes on to state that NHTSA does not believe\nthat the failure to include physical attributes should result in the refusal of a record\n\x0c                                                                                  19\n\n\ninto NDR. If NHTSA intends to accept records into NDR without physical\nattributes, even though required, it should indicate how it intends to follow up with\nstates to obtain the required information, such as sending a management exception\nreport listing incomplete submissions for the states to resolve within a specified\ntime frame. Otherwise, NHTSA\xe2\x80\x99s response suggests that it may establish\nreporting physical attributes as a requirement but will not enforce it.\n\nRecommendation 8(b): NHTSA concurred in part. NHTSA states they will\nwork to identify and share \xe2\x80\x9cbest practices\xe2\x80\x9d for detecting duplicate SSNs contained\nin state DMV databases. However, since states will be required to verify SSNs\nunder the Real ID Act, NHTSA believes that implementing a separate verification\nrequirement would be unnecessary. The planned completion date for this item is\nFY 2008.\n\nWhile NHTSA\xe2\x80\x99s proposed corrective action for verifying the SSNs of future\nlicense applicants is a step in the right direction, it did not address cleanup of\ninvalid and duplicate SSNs already in the NDR database. Without this step,\nproblem drivers already recorded in NDR under an inaccurate SSN could reapply\nfor a license using the correct SSN and not be detected in NDR. The OIG\nprovided NHTSA with a copy of duplicate and invalid SSNs that were detected in\nNDR. NHTSA should use this data to collaborate with the states and correct these\nitems in NDR.\n\n Recommendation 9(a): NHTSA concurred in part. As part of the FY 2008\nalternatives analysis required for the NDR modernization capital planning process,\nNHTSA will initiate communications with state users to ascertain desired\nenhancements that should be included in the modernization process. The planned\ncompletion date for this item is September 2008. NHTSA\xe2\x80\x99s planned corrective\naction meets the intent of our recommendation.\n\nRecommendation 9(b): NHTSA concurred. As part of the FY 2008 alternatives\nanalysis required for the NDR modernization capital planning process, NHTSA\nwill examine commercially available software products and determine the\nusefulness of incorporating them into the NDR name search algorithm. The\nplanned completion date for this item is June 2008.\n\nRecommendation 10: NHTSA concurred in part. NHTSA will expand the\ntesting of the recovery system to include a more significant processing load.\nHowever, NHTSA does not believe that the disaster recovery test needs to be at\nnormal production capacities. The planned completion date for this item is June\n2008.\n\x0c                                                                               20\n\n\nWhile increasing the volume of test data is a step in the right direction, NHTSA\ndid not specify the transaction volume to be used in testing the recovery system.\nNHTSA needs to specify the planned transaction volume for testing and share the\nresults\xe2\x80\x94system response times\xe2\x80\x94with state DMV users. This will help users to\nanticipate system performance levels in the event of an actual recovery scenario.\n\nRecommendation 11: NHTSA concurred in part. NHTSA is currently\nevaluating the cost and impact of storing a copy of the weekly NDR backup tapes\nat a more distant alternate Federal facility. By January 2008, NHTSA will start\nimplementing necessary changes based on the analysis results. NHTSA\xe2\x80\x99s planned\ncorrective action meets the intent of our recommendation.\n\n\nACTIONS REQUIRED\nExcept for recommendations 8(a), 8(b), and 10, actions taken and planned by\nNHTSA are responsive to our recommendations and are considered resolved\nsubject to the follow-up requirements in DOT Order 8000.1C. We would\nappreciate receiving NHTSA\xe2\x80\x99s revised response to recommendations 8a, 8b, and\n10 within 30 days.\n\nWe appreciate the courtesies and cooperation of the National Highway Traffic\nSafety Administration during this audit. If you have any questions concerning this\nreport, please contact me at (202) 366-1496 or Nathan Custer, Acting Program\nDirector, at (202) 366-5540.\n\n                                        #\n\ncc: Chief Information Officer, DOT\n    Senior Associate Administrator for Policy and Operations, NPO-010\n    Chief Information Officer, FMCSA\n    Martin Gertel, M-1\n    Antonyio Johnson, NPO-310\n\x0c                                                                                    21\n\n\nEXHIBIT A. SCOPE AND METHODOLOGY\nThis audit was conducted at NHTSA Headquarters in Washington, D.C.; the NDR\ncontractor\xe2\x80\x99s data processing site in New Jersey; the American Association of Motor\nVehicle Administrators\xe2\x80\x99 (AAMVA) offices in Arlington, Virginia; and the following\nselected state motor vehicle administration offices: California, Maryland, Nebraska,\nNew Hampshire, New York, North Carolina, Oregon, Tennessee, and Virginia.\n\nWe reviewed NDR system security by examining policies and procedures, observing\ncontrols in operation, and conducting appropriate tests for security. We also\nexamined the access security inherent in the NDR system and Federal, state, and\ncontractor personnel access controls to NDR information, and used a commercial tool\nto assess the vulnerability of NHTSA\xe2\x80\x99s network.\n\nWe used a data mining tool to test the accuracy, timeliness, and completeness of the\ndata that NDR processed. We interviewed Federal and state officials to determine the\nfrequency of state submissions to NDR, the time it takes for NDR to update\ninformation after it is submitted, and the length of time the records are maintained in\nNDR. We evaluated whether verification checks were performed on specific data\nelements, such as Social Security numbers.\n\nIn addition, we reviewed the system\xe2\x80\x99s security certification documents to examine the\nbusiness impact analysis and assignment of system risks, to determine whether risks\nhad been properly assessed, and to verify whether a contingency plan existed and had\nbeen tested.\n\nWe did not test security protection of the AAMVAnet or state DMV systems because\nthey are not NHTSA\xe2\x80\x99s responsibility. Our review of the Social Security numbers\nrecorded in NDR was limited to checking for obviously incorrect and duplicate\nnumbers. We did not validate the accuracy of Social Security numbers because all\nstates except four were performing on-line verification with the Social Security\nAdministration\xe2\x80\x99s database. We did not test whether driver\xe2\x80\x99s licenses were issued\nimproperly as a result of the untimely entering of problem-driver data into NDR.\n\nWe performed our audit work between March 2005 and December 2006. This\nperformance audit was conducted in accordance with Generally Accepted\nGovernment Auditing Standards prescribed by the Comptroller General of the United\nstates and included such tests as we considered necessary to detect fraud, waste, and\nabuse.\n\n\n\n\nExhibit A. Scope and Methodology\n\x0c                                                                                               22\nEXHIBIT B. NDR STATE-BY-STATE DATA BREAKDOWN\n                                                                           Records Missing\n                       Number of          Records        Duplicate SSN\n    State Name                                                                Physical\n                        Records        Containing SSN      in-State\n                                                                              Attributes\nAlabama                      507,002           411,426             2,320             127,570\nAlaska                       196,344           181,261               331              22,404\nArizona                    1,295,738           655,285               975             291,449\nArkansas                     265,911           119,584               230              47,706\nCalifornia                 3,318,564            82,846                64             737,366\nColorado                   1,171,788           548,469             1,237             262,557\nConnecticut                  329,904           176,639                67             329,904\nDelaware                     105,766            66,257                22              27,203\nDistrict of Columbia          74,742            59,819                44              32,549\nFlorida                    1,929,266         1,625,678            11,214           1,929,265\nGeorgia                    1,237,210           811,219             3,133             152,816\nHawaii                        92,881            85,336                 0              21,989\nIdaho                        233,184           189,514                 3              49,373\nIllinois                   2,148,671                 0               N/A             878,089\nIndiana                      783,144           574,958             2,489             117,104\nIowa                         453,307           379,478                 5              75,761\nKansas                       391,154           267,908               933              52,423\nKentucky                     349,067           328,176                93              54,149\nLouisiana                    443,462           375,385            14,108               9,028\nMaine                        356,948           137,851             1,144             147,301\nMaryland                     894,861           631,638             2,511             894,861\nMassachusetts              1,466,277         1,101,289             7,888           1,466,277\nMichigan                   1,250,512           305,332             4,249              80,999\nMinnesota                    357,859           255,046             1,007              50,433\nMississippi                  278,736            38,137                42              29,369\nMissouri                     741,579           671,308                16              65,649\nMontana                      136,991           117,618                50              10,764\nNebraska                     397,253           323,703               202              64,269\nNevada                       444,748           422,603               907              45,267\nNew Hampshire                256,102           152,537               258             103,073\nNew Jersey                 2,277,988         1,772,504            18,890             185,339\nNew Mexico                   281,564           274,817               193             114,337\nNew York                   1,515,930           706,119             2,629           1,515,930\nNorth Carolina             2,613,467         1,954,815             7,428           2,613,463\nNorth Dakota                  62,615               947                 0              11,535\nOhio                       1,951,414         1,856,350                 0             168,148\nOklahoma                     661,725           391,881               276             130,375\nOregon                     1,211,533           204,901               218           1,211,533\nPennsylvania               1,641,242         1,157,012             3,046           1,641,242\nRhode Island                 373,146           180,592            12,757             275,151\nSouth Carolina               769,946           545,186            14,975             769,946\nSouth Dakota                 105,643            83,415               107              20,186\nTennessee                  1,498,246         1,286,326             3,302             254,447\nTexas                      1,604,701         1,364,964            21,184             105,009\nUtah                         460,592           405,867             1,052              67,477\nVermont                      183,312           117,650               982              98,318\nVirginia                   1,303,600         1,258,352             9,777              71,581\nWashington                   845,874           651,094             1,604             113,095\nWest Virginia                275,658           264,614               230              20,045\nWisconsin                    890,268           698,513             7,134             129,761\nWyoming                       83,919            75,490                53              20,961\nTotals                    42,521,354        26,347,709           161,379          17,714,846\n\nN/A - Not Applicable\n\n\n\n\nExhibit B. NDR State-by-State Data Breakdown\n\x0c                                                                 23\n\n\nEXHIBIT C. MAJOR CONTRIBUTORS TO THIS REPORT\n\nNAME                                    TITLE\nEd Densmore                             Program Director\nNathan Custer                           Project Manager\nDr. Ping Z. Sun                         Project Manager\nMichael P. Fruitman                     Communications Adviser\nJim Mallow                              Senior Auditor\nHenry Lee                               Computer Scientist\nMitchell Balakit                        Information Technology\n                                        Specialist\nChristopher Cullerot                    Information Technology\n                                        Specialist\nVasily Gerasimov                        Information Technology\n                                        Specialist\nMartha Morrobel                         Information Technology\n                                        Specialist\nHarriet E. Lambert                      Writer-Editor\n\n\n\n\nExhibit C. Major Contributors to This Report\n\x0c                                                                                            24\n\n\nAPPENDIX. MANAGEMENT COMMENTS\n\n\n\n                                         Memorandum\nU.S. Department\nof Transportation\nNational Highway\nTraffic Safety\nAdministration\n\n\n\nSubject:     Corrective Action to Draft Report                Date:     October 10, 2007\n             on Audit of Security and Controls\n             Over the National Driver Register\n\nFrom:        Nicole R. Nason                               Reply to     Rebecca Lang\n             Administrator                                 Attn. of:    Office of the Inspector\n             X6-1836                                                    General\n                                                                        X6-1488\nTo:          Kurt Hyde\n             Assistant Inspector General for\n             Surface and Maritime Programs\n\n\nAttached are the National Highway Traffic Safety Administration (NHTSA) proposed responses\nand corrective actions to address the eleven recommendations in the Office of the Inspector\nGeneral's recent Audit of the NHTSA's Security and Controls Over the National Driver Register\nProgram, forwarded to us on September 7.\n\nIf you have any questions on this response, please contact Antonyio Johnson, our OIG Liaison at\nX6- 1480.\n\nAttachment\n\n\n\n\nAppendix. Management Comments\n\x0c                                                                                                25\n\n            NATIONAL HIGHWAY TRAFFIC SAFETY ADMINISTRATION\n                     RESPONSE TO OIG DRAFT REPORT\n\nTITLE: Audit of Security and Controls over the National Driver Register. PROJECT\nNUMBER: 05F3019F000.\n\n     NATIONAL HIGHWAY TRAFFIC SAFETY ADMINISTRATION POSITION\n\nNHTSA thanks the Office of Inspector General for this report, and its willingness to work with\nthe agency to describe most accurately the conditions surrounding the National Driver Register\nprogram. The agency\xe2\x80\x99s response indicates any areas where there are concerns with\nimplementing the recommendations found in the report.\n\n\nRecommendation 1: Enhance security protection of NDR data by establishing an\ninterconnection security agreement and memorandum of understanding with AAMVA to\ndocument security requirements, identify authorities, and specify responsibilities of both\norganizations, such as the encryption of the data and the security assurance required to meet\nGovernment minimum security standards.\n\nResponse: Concur.\n\nCorrective Action: NHTSA already has developed a draft interconnection security agreement\nand memorandum of understanding that is going through internal agency review. Once that\nreview is completed, NHTSA will work with AAMVA to finalize and sign the recommended\ndocuments. Planned completion date: December 2007.\n\n\nRecommendation 2: Enhance security protection of NDR data by installing encryption on the\ndedicated line between NHTSA and the NDR contractor site.\n\nResponse: Concur.\n\nCorrective Action: NDR and NHTSA CIO will work with DOT CIO to establish encryption on\nthe line between NHTSA and the timeshare vendor site. Planned completion date: June 2008.\n\n\nRecommendation 3 (a): Enhance security protection of NDR data by requiring NDR officials to\nreevaluate the position risk and associated background check requirement for the two NHTSA\nemployees with the ability to change NDR software.\n\nResponse: Concur.\n\nCorrective Action: NHTSA will upgrade the position of risk designation of the employees and\nconduct appropriate background investigations. While the investigations are underway the\nemployees will continue to function in their current duties. Reclassification of position planned\ncompletion date: September 2008.\n\n\nAppendix. Management Comments\n\x0c                                                                                               26\n\nRecommendation 3 (b): Modify the cooperative agreement to require AAMVA personnel\nproviding Help Desk services to have the appropriate type of background check.\n\nResponse: Concur.\n\nCorrective Action: A new cooperative agreement with AAMVA will be in place in 2008 and\nwill include a requirement for AAMVA Help Desk personnel to have an appropriate background\ninvestigation according to their level of access to the PDPS. Planned completion date: June\n2008.\n\nRecommendation 3 (c): Ensure that NDR mainframe data center employees\xe2\x80\x99 background\nchecks are sufficient to meet DOT policy requirements, as specified in the contract.\n\nResponse: Concur.\n\nCorrective Action: As part of the annual review of security controls required by NIST 800-53,\nNHTSA will validate the background investigations for all employees with access to the PDPS.\nPlanned completion date: October 2007.\n\n\nRecommendation 4: Require that facilities used to store NDR records are properly secured at\nall times\n\nResponse: Concur.\n\nCorrective Action: The action required by this recommendation was completed in June 2007.\nAll NDR records are now stored in a secure room in locked cabinets.\n\n\nRecommendation 5: Better protecting the NHTSA computers used to access NDR mainframe\ndatabase, such as installing firewall security to separate these mission critical computers from\nother computers on the network.\n\nResponse: Concur.\n\nCorrective Action: NHTSA OCIO will coordinate with DOT CIO to obtain desktop/laptop\nfirewall capabilities tested and approved for operation in the Common Operating Environment.\nPlanned completion date: March 2008.\n\n\nRecommendation 6(a): Working with the states to establish a mechanism to ensure that DMVs\nenter problem driver data into NDR within 31 days of receipt of conviction as required by Title\n49\n\nResponse: Concur.\n\nCorrective Action: NDR will initiate an information outreach campaign with the state DMV\xe2\x80\x99s\nto re-emphasize the need to comply with the 31-day reporting requirement for revoked and\n\nAppendix. Management Comments\n\x0c                                                                                                    27\nsuspended driver\xe2\x80\x99s licenses. NHTSA will post notices on the AAMVA bulletin board and\nadvise motor vehicle personnel of the requirement. Initial action date: Continuing outreach\ninitiatives to commence with November 2007.\n\n\nRecommendation 6(b): Working with the states to modify the NDR database to ensure that the\noriginal date that the record of a problem driver was entered into the system is retained.\n\nResponse: Concur.\n\nCorrective Action: As part of the development of the new PDPS system, NDR is creating a\nfield that will store the date a pointer is first entered into the PDPS. Planned completion date:\nFY 2009.\n\n\nRecommendation 7(a): Requiring NDR officials to develop a standard process for states to use\nwhen requesting the manual removal of problem driver records from the NDR, including the\ndriver\xe2\x80\x99s legal name, reason for the deletion, and name of the authorized state representative\nmaking the request.\n\nResponse: Concur.\n\nCorrective Action: The action required by this recommendation was completed in April 2007.\n\n\nRecommendation 7(b): require the NDR office to verify the state\xe2\x80\x99s request before removal of\nthe problem driver record.\n\nResponse: Concur.\n\nCorrective Action: The action required by this recommendation was completed in April 2007.\n\n\nRecommendation 8(a): Requiring NDR officials to work with state DMV officials to determine\nwhich physical attributes should be made mandatory for NDR reporting, provide the guidelines\nto the states in a directive, and establish edit checks in the NDR to verify that required data fields\nare complete before accepting a record into the system.\n\nResponse: Concur-in-part.\n\nCorrective Action: The NDR will consult with state driver licensing agencies to determine\nwhich physical attributes should be made mandatory for NDR reporting. After this consultation,\nthe Agency will review its regulation to determine whether it is necessary to revise the current\nreporting requirements. However, the Agency does not believe that the failure to include\nphysical attributes should be a basis for refusing a record into the NDR if other appropriate\nidentifying information is provided because it may result in that record not being included in the\nNDR database. This in turn, may result in a revoked or suspended driver being able to obtain a\ndriver\xe2\x80\x99s license in another jurisdiction. It is important to note that the Agency has limited\npractical ability to enforce these requirements on the states. We prefer to rely on education and\n\nAppendix. Management Comments\n\x0c                                                                                               28\ncooperation with the states to help ensure an effective NDR program. Planned completion\ndate: Initial discussions to be held with the Motor Vehicle Administrators in November 2007\nand again during the summer of 2008. Any necessary revisions to the regulation will follow\nthese discussions.\n\n\nRecommendation 8(b): require that state DMV\xe2\x80\x99s correct the invalid and duplicate Social\nSecurity numbers stored in NDR \xe2\x80\x93a Federal system\xe2\x80\x93 and to use the online verification of Social\nSecurity numbers.\n\nResponse: Concur-in-part.\n\nCorrective Action: NHTSA agrees that states should work to remove the duplicate SSN\xe2\x80\x99s\nfrom their licensing databases. The NDR will work with the two states that showed no duplicate\nSocial Security Numbers to identify \xe2\x80\x9cbest practices\xe2\x80\x9d for methods to detect duplicate SSN\xe2\x80\x99s\ncontained on their databases. NHSTA will initiate an outreach program with the states to share\nthese best practices. However, forty-eight states and the District of Columbia have the capability\nto verify the validity of SSN\xe2\x80\x99s with the Social Security On-Line Verification (SSOLV) system.\nTo initiate a separate action for this recommendation for the use of SSOLV by NHTSA would\nbe duplicative. Planned completion date: Initiate contact with two states with zero duplicate\nSSN\xe2\x80\x99s in November 2007 to document best practices. These best practices will be distributed to\nthe states in the summer of 2008 during the AAMVA regional conferences.\n\n\nRecommendation 9(a): Requiring NDR officials to work with the state DMV\xe2\x80\x99s to determine\nwhat functional upgrades should be included in the NDR modernization plan.\n\nResponse: Concur-in-part.\n\nCorrective Action: As part of the FY 2008 alternatives analysis required as part of the capital\nplanning process, the NDR will initiate communications with state users to ascertain desired\nenhancements and to determine whether these should result in additional system changes.\nPlanned completion date: September 2008.\n\n\nRecommendation 9(b): Evaluate whether any commercially available search engine will work\nmore effectively with the relational database design and improve the accuracy and response time\nof the driver applicant searches.\n\nResponse: Concur.\n\nCorrective Action: As part of the FY 2008 alternatives analysis required as part of the capital\nplanning process, the NDR will examine commercially available software products to determine\nthe usefulness of incorporating them into a future enhancement of the PDPS Name-Match\ndatabase search algorithm. Planned completion date: June 2008.\n\n\nRecommendation 10: Coordinating with state DMVs to test the transaction processing capacity\nof the recovery system at the contractor\xe2\x80\x99s alternate data center.\n\nAppendix. Management Comments\n\x0c                                                                                                    29\n\nResponse: Concur-in-part.\n\nCorrective Action: NHTSA will expand the recovery testing to ensure functionality with a\nmore significant load, which should provide a closer approximation of complete system\nperformance in times where a national emergency would require use of the recovery system.\nNHTSA does not believe that the disaster recovery test needs to have the backup site function at\nnormal production capacities. Further, NIST 800-34 does not require full hot-site redundancy for\nsystems, such as PDPS, that are not national security systems. It is neither practical nor cost\neffective for a state to switch their entire processing capabilities for a test of this nature. Planned\ncompletion date for expanding the recovery testing: June 2008.\n\n\nRecommendation 11: Requiring a copy of the weekly backup data files from the NDR data\ncenter be stored in a more remote site than the one currently used.\n\nResponse: Concur-in-part.\n\nCorrective Action: NHTSA is currently evaluating the cost and impact of storing a copy of the\nweekly NDR backup tapes at an alternate Federal facility. Planned completion date: Analysis by\nJanuary 2008; implementing any necessary changes according to a schedule to be agreed upon\nwith the DOT CIO following the completion of the analysis.\n\n\n\n\nAppendix. Management Comments\n\x0c                                                                               30\n\n\nThe following pages contain textual versions of the graphs and charts found in this\ndocument. These pages were not in the original document but have been added\nhere to accommodate assistive technology.\n\x0c                                                                              31\n\n\n           Security and Controls Over the National Driver Register\n\n                     Section 508 Compliance Presentation\n\n\nFigure 1. Overview of NDR System Connections\n\nThis diagram shows that the NDR is housed at a contractor site and how it\ninterfaces with NHTSA at the DOT headquarters and with the States through the\nAAMVA network.\n\nNHTSA is connected directly to the NDR via a dedicated line. NHTSA is also\nconnected to the Department of Transportation\xe2\x80\x99s internal network, on which other\nDOT operating administrations also reside. Examples of these other operating\nadministrations include the Federal Aviation Administration and the Federal Rail\nAdministration. Every operating administration within DOT is connected to the\ninternet via the Department\xe2\x80\x99s internal network.\n\nOn the State side, the NDR is directly connected to the AAMVA network. Each\nof the State DMVs are also connected to the AAMVA network and are able to\ninterface with the NDR via this network. The AAMVA headquarters also is able\nto interface with the NDR via the AAMVA network. State DMVs and the\nAAMVA are connected to the internet.\n\x0c"